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IN THE CLAIMS : 

Please amend claims 1, 2, 5, 19, 20, and 22 as indicated in below. 

A listing of the status of all claims 1-30 in the present patent application is provided 

below. 



1. (Currently Amended) A method for an enterprise to assess risks associated with 
an outside service provider, the method comprising: 

identifying , via an user interface, outside service provider information that describes the 
outside service provider; 

storing the outside service provider information in a database; 

identifyin g, via the user interface, resource information that describes resources of the 
enterprise associated with services provided by the outside service provider; 

storing the resource information in the database; 

assessin g, via server, an impact on the enterprise from a degradation of the services from 
the outside service provide r, wherein assessing the impact on the enterprise comprises assessing 
a business impact on the enterprise and assessing a country impact on the enterprise ; 

storing the assessment in the database; 

automatically determinin g, via the server, a criticality of the outside service provider in 
response to the assessment; 

storing the criticality in the database; and 

providin g, via the user interface, status data from the database, wherein the status data 
comprises at least one of a status of: 

the resource information; 
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the assessment; and 
the criticality. 

2. (Currently Amended) The method of claim 1, wherein the step of assessing the 
country impact on the enterprise further comprisin g comprises : 

identifying countries in which the outside service provider operates; and 
determining a country impact risk associated with the countries, wherein the step of 
automatically determining the criticality is also in response to the country impact risk. 

3. (Original) The method according to claim 2, wherein the step of determining a 
country impact risk further comprises: 

collecting economic condition information with respect to the country; 
storing the economic condition information in the database; 
collecting social condition information with respect to the country; 
storing the social condition information in the database; 
collecting political condition information with respect to the country; 
add storing the political condition information in the database; 

4. (Original) The method according to claim 1, wherein at least one of the resources 
of the enterprise includes at least one software application employed by the enterprise. 

5. (Currently Amended) The method according to claim 1, wherein the step of 
assessing the business impact on the enterprise further comprises at least one of: 

assessing an impact on external customers of the enterprise resulting from the 
degradation of the services from the outside service provider; 

assessing an impact on internal customers of the enterprise resulting from the degradation 
of the services from the outside service provider; 
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assessing a financial impact resulting from the degradation of the services from the 
outside service provider; 

assessing an allowable time period that the degradation of the services from the outside 
service provider can last; and 

assessing an impact on regulatory obligations resulting from the degradation of the 
services from the outside service provider. 

6. (Original) The method according to claim 1, further comprising: 
assigning specific people to fulfill roles with respect to management of a relationship 

with the outside service provider, wherein the roles include at least one of information owner and 
information risk manager. 

7. (Original) The method according to claim 6, further comprising: 
receiving acknowledgements of the acceptances of the assignments from the specific 

people. 

8. (Original) The method according to claim 6, further comprising: 
assigning alternate people to fulfill the roles. 

9. (Original) The method according to claim 6, wherein the role of the information 
owner comprises at least one of: 

obtaining from the outside service provider copies of financial and non-financial audit 

reports; 

obtaining documentation describing the outside service provider's procedural, physical 
access, logical access and business recovery controls; 



4 



U.S. Patent Application No.: 10/664,283 
Attorney Docket No.: 72167.000460 

requiring notification by the outside service provider of any organization, security-related 
and other changes affecting the availability, confidentiality, or integrity of the services provided 
by the outside service provider; and 

initiating the risk assessment process. 

10. (Original) The method according to claim 6, wherein the role of information risk 
manager comprises at least one of: 

maintaining an updated list of outside service providers used by the enterprise; and 
allocating resources for the outside service provider assessment process. 

11. (Original) The method according to claim 1, wherein all of the steps of the 
method are facilitated using a software application, the method further comprising: 

generating data input screens for accepting input from a user; and 
providing drop down boxes on the data input screens in order to facilitate selection of 
predefined information. 

12. (Original) The method according to claim 1, further comprising assessing a 
recovery plan of the outside service provider. 

13. (Original) The method according to claim 12, wherein the assessment of the 
outside service provider recovery plan further comprises: 

questioning the developer of the plan as to whether it has required elements; and 
developing a corrective action plan to address missing required elements. 

14. (Original) The method according to claim 13, wherein the required elements 

include: 

an alternate site for providing the services; and 
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a business continuity plan for resumption of the services at the alternate site. 

15. (Original) The method according to claim 1, wherein the step of providing status 
data further comprises: 

providing status data on the enterprise level; providing status data on a line of business 
level; and 

providing status data on a department level. 

16. (Original) The method according to claim 1, wherein the enterprise has policies 
and procedures for protecting the integrity of the provision of services, the method further 
comprising assessing the compliance of the outside service provider to the policies and 
procedures. 

17. (Original) The method according to claim 16, further comprising developing a 
corrective action plan if the outside service provider is not in compliance, the corrective action 
plan containing the steps required to bring the outside service provider into compliance. 

18. (Original) The method according to claim 17, further comprising obtaining an 
acknowledgement by management of the enterprise of risk associated with the non-compliance 
of the outside service provider. 

19. (Currently Amended) A system for an enterprise to assess risks associated with 
an outside service provider comprising: 

a user interface for interfacing with users of the system; 

at least one database server and at least one application server coupled to the user 
interface; and 

at least one database and at least one application respectively coupled to the database 
server and the application server; 
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wherein the system is programmed to: 

accept outside service provider information that describes the outside service 

provider; 

store the outside service provider information in a database; 
accept resource information that describes resources of the enterprise associated 
with services provided by the outside service provider; 

store the resource information in the database; 

assess an impact on the enterprise from a degradation of the services from the 
outside service provide r, wherein assess the impact on the enterprise comprises assess a business 
impact on the enterprise and assess a country impact on the enterprise ; 

store the assessment in the database; 

automatically determine a criticality of the outside service provider in response to 
the assessment; 

store the criticality in the database; and 

provide status data from the database, wherein the status data comprises at least 
one of a status of the resource information, the assessment, and the criticality. 

20. (Currently Amended) The system of claim 19, wherein the s yst e m i s assessment 
of the country impact on the enterprise further programm e d to comprises : 

accept countries in which the outside service provider operates; and 
determine a country impact risk associated with the countries, wherein the step of 
automatically determining the criticality is also in response to the country impact risk. 

21. (Original) The system according to claim 19, wherein at least one of the 
resources of the enterprise includes at least one software application employed by the enterprise. 
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22. (Currently Amended) The system according to claim 19, wherein the assessment 
of the business impact on the enterprise further comprises at least one of: 

an assessment of an impact on external customers of the enterprise resulting from the 
degradation of the services from the outside service provider; 

an assessment of an impact on internal customers of the enterprise resulting from the 
degradation of the services from the outside service provider; 

an assessment of a financial impact resulting from the degradation of the services from 
the outside service provider; 

an assessment of an allowable time period that the degradation of the services from the 
outside service provider can last; and 

an assessment of an impact on regulatory obligations resulting from the degradation of 
the services from the outside service provider. 

23. (Original) The system according to claim 19, wherein the database further 
includes: 

an assignment of specific people to fulfill roles with respect to management of a 
relationship with the outside service provider, wherein the roles include at least one of 
information owner and information risk manager. 

24. (Original) The system according to claim 23, wherein the database further 
includes: 

acknowledgements of the acceptances of the assignments from the specific people. 

25. (Original) The system according to claim 23, wherein the database further 
includes: 
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an assignment of alternate people to fulfill the roles. 

26. (Original) The system according to claim 19, wherein the system is further 
programmed to assess a recovery plan of the outside service provider. 

27. (Original) The system according to claim 26, wherein the user interface is used to 
collect responses from the developer of the recovery plan as to whether it has required elements, 
and to collect a corrective action plan to address missing required elements. 

28. (Original) The system according to claim 27, wherein the required elements 
include: 

an alternate site for providing the services; and a business continuity plan for resumption 
of the services at the alternate site. 

29. (Original) The system according to claim 19, wherein the status data further 
comprises: 

status data on the enterprise level; status data on a line of business level; and status data 
on a department level. 

30. (Original) The system according to claim 19, wherein the user interface further 
comprises: 

data input screens for accepting input from a user; and drop down boxes on the data input 
screens in order to facilitate selection of predefined information. 
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